# Flatcar Container Linux Release - December 13, 2023 (Equinix Metal ARM64 has failed in all the channels due to resource constraints so not considered for evaluation) ## Alpha 3815.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None ## Beta 3760.1.1 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None ## Stable 3602.2.3 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ / _WAIT_ / _NO-GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). - Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605` --- ### Announcement Message Subject: Announcing new releases Alpha 3815.0.0, Beta 3760.1.1, Stable 3602.2.3 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable channel. #### Alpha 3815.0.0 _Changes since **Alpha 3794.0.0**_ #### Security fixes: - Linux ([CVE-2023-6121](https://nvd.nist.gov/vuln/detail/CVE-2023-6121)) - Go ([CVE-2023-39326](https://nvd.nist.gov/vuln/detail/CVE-2023-39326), [CVE-2023-45285](https://nvd.nist.gov/vuln/detail/CVE-2023-45285)) #### Bug fixes: - Deleted files in `/etc` that have a tmpfiles rule that normally would recreate them will now show up again through the `/etc` lowerdir ([Flatcar#1265](https://github.com/flatcar/Flatcar/issues/1265), [bootengine#79](https://github.com/flatcar/bootengine/pull/79)) - Fixed the missing `/etc/extensions/` symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 ([update_engine#32](https://github.com/flatcar/update_engine/pull/32)) - GCP: Fixed OS Login enabling ([scripts#1445](https://github.com/flatcar/scripts/pull/1445)) #### Changes: - GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of `/usr` and being part of the OEM A/B updates ([flatcar#1146](https://github.com/flatcar/Flatcar/issues/1146)) #### Updates: - Linux ([6.1.66](https://lwn.net/Articles/954112) (includes [6.1.65](https://lwn.net/Articles/953648/), [6.1.64](https://lwn.net/Articles/953132), [6.1.63](https://lwn.net/Articles/952003))) - Go ([1.20.12](https://go.dev/doc/devel/release#go1.20.12)) - acpid ([2.0.34](https://sourceforge.net/p/acpid2/code/ci/2.0.34/tree/Changelog)) - afterburn ([5.5.0](https://github.com/coreos/afterburn/releases/tag/v5.5.0)) - ca-certificates ([3.95](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_95.html)) - containerd ([1.7.10](https://github.com/containerd/containerd/releases/tag/v1.7.10)) - efibootmgr ([18](https://github.com/rhboot/efibootmgr/releases/tag/18)) - efivar ([38](https://github.com/rhboot/efivar/releases/tag/38)) - ipvsadm ([1.31](https://git.kernel.org/pub/scm/utils/kernel/ipvsadm/ipvsadm.git/tag/?h=v1.31) (includes [1.28](https://git.kernel.org/pub/scm/utils/kernel/ipvsadm/ipvsadm.git/tag/?h=v1.28), [1.29](https://git.kernel.org/pub/scm/utils/kernel/ipvsadm/ipvsadm.git/tag/?h=v1.29) and [1.30](https://git.kernel.org/pub/scm/utils/kernel/ipvsadm/ipvsadm.git/tag/?h=v1.30))) - libmnl ([1.0.5](https://git.netfilter.org/libmnl/log/?h=libmnl-1.0.5)) - libnetfilter_conntrack ([1.0.9](https://git.netfilter.org/libnetfilter_conntrack/log/?h=libnetfilter_conntrack-1.0.9)) - libnetfilter_cthelper ([1.0.1](https://git.netfilter.org/libnetfilter_cthelper/log/?id=8cee0347cc6969c39bb64000dfaa676a8f9e30f0)) - libnetfilter_cttimeout ([1.0.1](https://git.netfilter.org/libnetfilter_cttimeout/log/?id=068d36d6291f53a0a609ab1f695aa06e94ce3d30)) - libnfnetlink ([1.0.2](https://git.netfilter.org/libnfnetlink/log/?h=libnfnetlink-1.0.2)) - libunwind ([1.7.2](https://github.com/libunwind/libunwind/releases/tag/v1.7.2) (includes [1.7.0](https://github.com/libunwind/libunwind/releases/tag/v1.7.0))) - liburing ([2.3](https://github.com/axboe/liburing/blob/liburing-2.3/CHANGELOG)) - SDK: squashfs-tools ([4.6.1](https://github.com/plougher/squashfs-tools/releases/tag/4.6.1) (includes [4.6](https://github.com/plougher/squashfs-tools/releases/tag/4.6))) #### Beta 3760.1.1 _Changes since **Beta 3760.1.0**_ #### Security fixes: - Linux ([CVE-2023-6121](https://nvd.nist.gov/vuln/detail/CVE-2023-6121)) #### Bug fixes: - Deleted files in `/etc` that have a tmpfiles rule that normally would recreate them will now show up again through the `/etc` lowerdir ([Flatcar#1265](https://github.com/flatcar/Flatcar/issues/1265), [bootengine#79](https://github.com/flatcar/bootengine/pull/79)) - Fixed the missing `/etc/extensions/` symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 ([update_engine#32](https://github.com/flatcar/update_engine/pull/32)) - GCP: Fixed OS Login enabling ([scripts#1445](https://github.com/flatcar/scripts/pull/1445)) #### Changes: - linux kernel: added zstd support for squashfs kernel module ([scripts#1297](https://github.com/flatcar/scripts/pull/1297)) #### Updates: - Linux ([6.1.66](https://lwn.net/Articles/954112) (includes [6.1.65](https://lwn.net/Articles/953648/), [6.1.64](https://lwn.net/Articles/953132), [6.1.63](https://lwn.net/Articles/952003))) - afterburn ([5.5.0](https://github.com/coreos/afterburn/releases/tag/v5.5.0)) - ca-certificates ([3.95](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_95.html)) #### Stable 3602.2.3 _Changes since **Stable 3602.2.2**_ #### Security fixes: - Linux ([CVE-2023-46862](https://nvd.nist.gov/vuln/detail/CVE-2023-46862), [CVE-2023-6121](https://nvd.nist.gov/vuln/detail/CVE-2023-6121)) #### Bug fixes: - Deleted files in `/etc` that have a tmpfiles rule that normally would recreate them will now show up again through the `/etc` lowerdir ([Flatcar#1265](https://github.com/flatcar/Flatcar/issues/1265), [bootengine#79](https://github.com/flatcar/bootengine/pull/79)) #### Updates: - Linux ([5.15.142](https://lwn.net/Articles/954114) (includes [5.15.141](https://lwn.net/Articles/953649/), [5.15.140](https://lwn.net/Articles/953130), [5.15.139](https://lwn.net/Articles/952004))) - ca-certificates ([3.95](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_95.html)) ### Detailed Security Report **Security fix**: With the Alpha 3815.0.0, Beta 3760.1.1, Stable 3602.2.3 releases we ship fixes for the CVEs listed below. #### Alpha 3815.0.0 * Go * [CVE-2023-39326](https://nvd.nist.gov/vuln/detail/CVE-2023-39326) CVSSv3 score: 5.3(Medium) A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. * [CVE-2023-45285](https://nvd.nist.gov/vuln/detail/CVE-2023-45285) CVSSv3 score: 7.5(High) Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). * Linux * [CVE-2023-6121](https://nvd.nist.gov/vuln/detail/CVE-2023-6121) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg). #### Beta 3760.1.1 * Linux * [CVE-2023-6121](https://nvd.nist.gov/vuln/detail/CVE-2023-6121) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg). #### Stable 3602.2.3 * Linux * [CVE-2023-46862](https://nvd.nist.gov/vuln/detail/CVE-2023-46862) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur. * [CVE-2023-6121](https://nvd.nist.gov/vuln/detail/CVE-2023-6121) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg). Best, The Flatcar Container Linux Maintainers --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3815.0.0, Beta 3760.1.1, Stable 3602.2.3 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/1284 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/@flatcar/ryv-Wu4UT/edit Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar Alpha, Beta, Stable releases now available! 📦 Package updates for Linux, afterburn, containerd 🔒 CVE fixes & security patches: Linux, ca-certificates 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #linux #cloudnative #containers #updates #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3815.0.0 (new major) - Beta 3760.1.1 (maintenance release) - Stable 3602.2.3 (maintenance release) These releases include: 📦 Package updates for Linux, afterburn, containerd 🔒 CVE fixes & security patches: Linux, ca-certificates 📜 Release notes in usual spot: https://www.flatcar.org/releases/